Blog/Cybersecurity News/

Data security habits of business professionals today

John Sears

John Sears


Sep 08, 2023


6 min read

In June 2023, we conducted a survey for which 500 business professionals provided answers about their data security habits.

Our key findings:

  • More than 50% of companies have experienced a cybersecurity incident in the last 12 months.
  • About 25% of respondents wouldn’t know what to do in case of a cyberattack.
  • Only half of the companies use encryption.
  • Approximately 40% of companies don’t have a dedicated person for cybersecurity incidents.
  • Nearly 25% of companies have never had any cybersecurity training.
  • About 39% of respondents have sent an email to the wrong person at some point in time.
  • The industry most vulnerable to cybersecurity issues is marketing.

We are all defined by our habits. Habits help us give shape and structure to our everyday lives and — when they’re good — they allow us to be healthier, happier, more productive, and more successful.

Bad habits, on the other hand, can lead to us making wrong assumptions, incorrect judgments, and poor decisions. Some habits are difficult to identify as bad until something goes wrong — however, many can be noticed when we look at our actions with an objective eye.

Below you will find the results of our survey on the data security habits of today's business professionals. For some, these results will be a big surprise while for others, they will be a reason to re-evaluate their own cybersecurity strategies.

Here’s what we found out…

Discovery #1

As many as 54% of companies have experienced a cybersecurity incident in the past 12 months

That’s right. More than half of our respondents faced either phishing, a data breach due to a third-party vendor hack, malware infection via a malicious email attachment, or some other cybersecurity threat in the last year.

When it comes to industries, our analysis shows that the marketing industry is most likely to experience issues such as data breaches resulting from a third-party vendor compromise. Other industries, such as the legal industry, face such problems less often but none of them are totally immune to cybersecurity incidents.

Discovery #2

About 40% of companies don’t have a dedicated person in case of a cybersecurity incidents

Despite unclear responsibilities and sometimes not having one specific person they can reach out to, 75% of respondents say that they would know — based on training (52%) or employer's instructions (22%) — what to do if there was a cyberattack in their company.

But that also means that 25% of those surveyed wouldn’t know what to do if there was a cyberattack.

Discovery #3

Approximately 24% of companies have never had any cybersecurity training

Our research shows that not only have 1/4 of our respondents never undergone cyber protection training, but most of them only attend such training once a year (25%) or once a quarter (25%) — or just once during onboarding activities (9%).

Only 17% of those surveyed conduct cybersecurity training once a month to increase employees' awareness of potential dangers they can encounter.

Discovery #4

Many employees think that companies find them accountable for security issues

When asked about responsibility for phishing attacks, ransomware attacks, and malware infections, respondents said that companies often pointed to employees as the ones who should be held liable for these types of threats.

Discovery #5

Only 56% of respondents are required to update their software

Despite the importance of constantly updating software and devices used for business purposes, only slightly more than 50% of companies require employees to carry out this activity. In the remaining cases, respondents say that they update the software of their own volition (22%) or simply indicate that such processes are not required at their organizations. In both cases, it makes it hard to say whether they regularly update their tools or not.

Discovery #6

More than 30% of respondents store their personal information on their work computer

Although our research indicated that only 22% of respondents use work computers for personal purposes, it is still a number that can push your imagination to some unsettling scenarios.

After all, you can also read the above information like this: one in five people use their work computer for personal purposes or to store their personal data. Putting it this way adds to the gravity of the situation.

Employees using work devices for personal purposes can significantly affect the security of company data, especially when faced with threats such as ransomware attacks (hackers may try to use the information on the device to intimidate the employee into giving access to company resources).

Our research also reveals that 36% of respondents are highly concerned about their own privacy when using their work computer. Asked whether they would see a leak of their personal information as a significant threat, 61% confirmed they would.

Discovery #7

Only half of the companies use encryption

Not only do some of the respondents not use encryption (24%) or know whether their company secures documents with it (23%), but also 39% of them confirm that they had, at some point in time, sent an email to the wrong person.

In other words, it means that there is a significant probability that many unsecured documents (that can easily be accessed and exploited by hackers) are shared by company members on a daily basis. There is also a considerable danger that these documents may sometimes be sent to unintended recipients, leading to potential security breaches.

Below, you will see a graph that explains how business professionals usually share data with team members, business partners, or clients. Don’t be surprised if these findings will make you go: “hang on, how do members of my organization share business files?”

Discovery #8

42% of respondents reuse passwords for home and work accounts

The above finding may be related to the fact that less than half of respondents (41%) remember their passwords. Therefore, to save time, they use the same passwords to log in to several applications and systems at the same time — completely forgetting about the risk factor.

When asked how often they change their passwords, respondents said they do so once a year (11%), once every six months (26%), and once a quarter (39%). However, we cannot be sure whether these new passwords are actually new, unique, and difficult to detect, or if they are passwords the respondents have already used before.

A worrying piece of information is that nearly 40% of respondents still keep their passwords in an open file on their computer or in a notebook. And even though many people keep their passwords in browser-based (27%) and third-party (28%) password managers, the fact remains that statistically almost two-fifths of users store their passwords in a place that is not safe.

What does it all mean?

It means that the data security habits of many business professionals leave much to be desired. Although a significant part of employees probably use encryption, password managers, or encrypted cloud storage platforms to protect company data, many of them risk the security of their organization by sometimes acting in an irresponsible way.

So, if you want to take matters into your own hands and do something to increase the level of cybersecurity of your company right now, you can get a tool that will help turn some of your employees’ bad data security habits into good ones.

That tool can be NordLocker, an encrypted cloud storage platform that will allow you and your team members to safely store, manage and exchange sensitive company data. Thanks to features such as end-to-end encryption, multi-factor authentication, and admin control panel, using the platform is tantamount to introducing high cybersecurity standards in the company.

It also involves putting in place a safety policy that your employees won't be able to ignore and, at the same time, one that won't make them feel less comfortable working. This is because NordLocker, with its drag-and-drop, intuitive interface, is very easy to use and proves that maintaining a security-first company culture does not have to be difficult and time-consuming.

If you want to check for yourself if what we say is true, you can go to our website and get a 14-day free trial. And who knows, maybe this will be your first step towards improving your company’s cybersecurity. There’s only one way to find out.

Important note: If you suspect that your employees have bad password use habits — similar to those described in the results of our survey — or you just want them to store, manage and share passwords, passkeys, and payment information with others in a secure way, you can use NordPass, our fully encrypted password manager. Visit our main page for this product to learn more about it and also get a 14-day free trial to try it out with your team.


Data presented in this article was collected from a survey on June 8-13, 2023 by researchers from Nord Security.

The survey examined the cybersecurity habits of 500 business professionals from small to medium-sized companies (up to 100 employees) in the finance, accounting, law, tax consulting, and marketing sectors.

This size and sector range was selected to represent businesses that often face unique cybersecurity challenges compared to their larger counterparts.

All data were collected anonymously to encourage honesty and openness from participants about their cybersecurity habits. To ensure impartiality and diversity, an independent third-party panel of respondents was used.

John Sears

John Sears

Verified author

John believes that the best things in life are simple. He uses the same approach when he’s writing about online security. John says that his #1 pet peeve is phishing scams. Ironically, his favorite non-work related activity is fishing.